phpgroupware-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Phpgroupware-users] Help needed: Configuration quick reference cha

From: Izzy Blacklock
Subject: Re: [Phpgroupware-users] Help needed: Configuration quick reference chart...
Date: Sat, 05 Apr 2003 17:12:27 -0700
User-agent: KMail/1.4.3 
On April 5, 2003 15:49, Dave Hall wrote:
> > > > phpgroupware 770
> > >
> > > owned by user:group - *not* the apache user 664
> >
> > shouldn't this be 775, or 755 as I've been doing.  Don't you need
> > execute
> > permission to enter the dir?
>
> No only the directories need execute rights ... not the files.

I thought that was what we were talking about.  The phpgroupware root 
directory should be 755.  I think the files are already 644 which works for 
me.

> > > > files 660
> > >
> > > owned by apache-user:apache-user - *not* the apache user - perms 660
> >
> > I'm confused
>
> Sorry I was cutting and pasting .... apache 660 will do

Again, are we talking the files directory or files within it?

> > Don't you want the sticky bit set on this to prevent unauthorized
> > modifications?  Here's a clip from
> > http://www.hackphreak.org/newbie/linuxbxj.txt which seems to do a
> > good job
> > explaining the concept (I did a google to find it):
>
> Well, there is another option, our apps can set more secure perms on
> uploaded files, ie 600.  That will prevent this.

That doesn't fix the security "gap" that the sticky bit fixes.  If you give 
world write permissions to the temp dir, then that gives anyone the ability 
to modify files within it even if they don't own them.  See the description 
of the problem below.  The sticky bit enforces an ownership check that isn't 
done otherwise.

>
> > ----- 8< -----
> > Speaking of modes. There's a UNIX "gap" where you can have write
> > accessto a file even if it's only +r for you, but you still have
> > +w access to
> > the directory it's in. `cat /dir/file > ~/temp ; vi ~/temp ; mv
> > ~/temp
> > /dir/file`
> > is a rough explanation for this. To prevent modification of files
> > unless the
> > modifier is the file owner, directory owner, or superuser, you use
> > the sticky
> > bit.
> > The sticky bit is an extra, 1000-mode, that you add to a
> > file/directory:
> > chmod 1755 stuff
> > ------ 8< -------
> >
reply via email to
[Prev in Thread] Current Thread [Next in Thread]